Analysis Overview
SHA256
d1e9324a7a0159543f55c323f1956594c1c6995e656847348926e15ebdd88a21
Threat Level: Known bad
The file 03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 21:04
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 21:04
Reported
2024-06-11 21:07
Platform
win7-20240221-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2768-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 644fc2d42956fd5bafbf3c0ac49d444f |
| SHA1 | 11fad232a42041e5f5d8ba08e2d12af08b1c12fd |
| SHA256 | 1e76a8410cd4e4d3cc9235f959d099a2710d245b0211252e125401b287a556db |
| SHA512 | aed99aa443c967f12f8740e1118945d548f04bb7b3e74a2297c5f429d7d62453b2de8f8094f798025303b2c053ff0f2bb1bdc4612119f75435a1a3da57921ca1 |
memory/2768-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2812-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2812-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 2890045061745fe49534d1a89555316a |
| SHA1 | 24f9cc5dfc06d216b8e8f6be9caf2fc738b27568 |
| SHA256 | 60cbb1bdb348d1c6d38ca4d1375336314adfd322156360c1e746181912ba4def |
| SHA512 | f271d0f090a5e86f6865e88744508bb3aa262e8148d339605dcdac1bce8f8f5d1000b16371e4cb64e7b7280278b22183f851883696b42d2c5ed21e8d805372f8 |
memory/2812-17-0x0000000000550000-0x000000000057A000-memory.dmp
memory/2812-23-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cc7728dbfd8a24fc167c3556f6f31f73 |
| SHA1 | e952ca2d37ca0d7b97df01b1060f532b08da1ff1 |
| SHA256 | 307ca68809a5f701aa8bba3d717f2214979ce196aba3d03553c72115be150452 |
| SHA512 | 87d50d72273792e6b34960d8ca1fa4a21c4d62328904002d58863ea4aa563e25c32826f07bb631a4d711264c337c0f1f493f0bfa325706b22308c7f8467ef414 |
memory/324-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2416-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/324-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 21:04
Reported
2024-06-11 21:07
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3668 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3668 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3668 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3996 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3996 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3996 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\03305e97beded6f6a8746fc26e1c5350_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/3668-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 644fc2d42956fd5bafbf3c0ac49d444f |
| SHA1 | 11fad232a42041e5f5d8ba08e2d12af08b1c12fd |
| SHA256 | 1e76a8410cd4e4d3cc9235f959d099a2710d245b0211252e125401b287a556db |
| SHA512 | aed99aa443c967f12f8740e1118945d548f04bb7b3e74a2297c5f429d7d62453b2de8f8094f798025303b2c053ff0f2bb1bdc4612119f75435a1a3da57921ca1 |
memory/3996-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3668-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3996-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6ed66bfbd311d4b39c4d9a756dacd475 |
| SHA1 | 44a2ddf5ec0bc5cde475dd57d1c5efff3824f734 |
| SHA256 | ecad92a121ce1d10d413e3dd5e76d356a9f6d2782cde99701af97a3e71a2d2af |
| SHA512 | 634f825f332d79b6165a68b1728dc9649081c6fbec06785050a118ecd414ee6cf9dc5bea62b7fe678a3ce435139c7bb2140ccce259a14ca39f7a081dc0654f5a |
memory/3996-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2836-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2836-14-0x0000000000400000-0x000000000042A000-memory.dmp